Show filters
139 Total Results
Displaying 51-60 of 139
Sort by:
Attacker Value
Unknown

CVE-2022-25921

Disclosure Date: August 29, 2022 (last updated February 24, 2025)
All versions of package morgan-json are vulnerable to Arbitrary Code Execution due to missing sanitization of input passed to the Function constructor.
Attacker Value
Unknown

CVE-2022-23460

Disclosure Date: August 19, 2022 (last updated February 24, 2025)
Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx json parsing may lead to stack exhaustion in an address sanitized (ASAN) build. This issue may lead to Denial of Service if the program using the jsonxx library crashes. This issue exists on the current commit of the jsonxx project and the project itself has been archived. Updates are not expected. Users are advised to find a replacement.
Attacker Value
Unknown

CVE-2022-23459

Disclosure Date: August 19, 2022 (last updated February 24, 2025)
Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement.
Attacker Value
Unknown

CVE-2022-36010

Disclosure Date: August 15, 2022 (last updated February 24, 2025)
This library allows strings to be parsed as functions and stored as a specialized component, [`JsonFunctionValue`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/components/JsonFunctionValue.js). To do this, Javascript's [`eval`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) function is used to execute strings that begin with "function" as Javascript. This unfortunately could allow arbitrary code to be executed if it exists as a value within the JSON structure being displayed. Given that this component may often be used to display data from arbitrary, untrusted sources, this is extremely dangerous. One important note is that users who have defined a custom [`onSubmitValueParser`](https://github.com/oxyno-zeta/react-editable-json-tree/tree/09a0ca97835b0834ad054563e2fddc6f22bc5d8c#onsubmitvalueparser) callback prop on the [`JsonTree`](https://github.com/oxyno-zeta/react-editable-json-tree/…
Attacker Value
Unknown

CVE-2022-31117

Disclosure Date: July 05, 2022 (last updated February 24, 2025)
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. This issue has been resolved in version 5.4.0 and all users should upgrade to UltraJSON 5.4.0. There are no known workarounds for this issue.
Attacker Value
Unknown

CVE-2022-31116

Disclosure Date: July 05, 2022 (last updated February 24, 2025)
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's `json` module does, preserving them in the parsed output. Users are advised to upgrade. There are no known workarounds for this issue.
Attacker Value
Unknown

CVE-2022-25845

Disclosure Date: June 10, 2022 (last updated February 23, 2025)
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
Attacker Value
Unknown

CVE-2022-30241

Disclosure Date: May 04, 2022 (last updated February 23, 2025)
The jquery.json-viewer library through 1.4.0 for Node.js does not properly escape characters such as < in a JSON object, as demonstrated by a SCRIPT element.
Attacker Value
Unknown

CVE-2022-23631

Disclosure Date: February 09, 2022 (last updated February 23, 2025)
superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue.
Attacker Value
Unknown

CVE-2021-45958

Disclosure Date: January 01, 2022 (last updated February 23, 2025)
UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.